Can a backscan be forced?

Yes, there is a way to force the initial breach assessment or backscan on a Stairwell forwarder. Typically the only reason to force a backscan is if the initial backscan was skipped, however regardless of if a backscan was ever performed it can be forced to be ran again.

Windows

  1. Stop the Stairwell Service
  2. Update registry keys HKLM\Software\Stairwell\SwellService\ or HKLM\Software\Stairwell\Inception\
  3. Restart the Stairwell service
@echo on
sc.exe stop StairwellForwarder
reg.exe add HKLM\Software\Stairwell\SwellService /v FullVolumeScan /t REG_DWORD /d 1 /f
reg.exe delete HKLM\SOFTWARE\Stairwell\SwellService /v BackscanStatus /f
reg.exe delete HKLM\SOFTWARE\Stairwell\SwellService /v BackscanComplete /f
reg.exe delete HKLM\SOFTWARE\Stairwell\SwellService /v BackscanStarted /f
sc.exe start StairwellForwarder
sc.exe query StairwellForwarder
@echo on
sc.exe stop InceptionForwarder
reg.exe add HKLM\Software\Stairwell\Inception /v FullVolumeScan /t REG_DWORD /d 1 /f
reg.exe delete HKLM\SOFTWARE\Stairwell\Inception /v BackscanStatus /f
reg.exe delete HKLM\SOFTWARE\Stairwell\Inception /v BackscanComplete /f
reg.exe delete HKLM\SOFTWARE\Stairwell\Inception /v BackscanStarted /f
sc.exe start InceptionForwarder
sc.exe query InceptionForwarder

Linux

  1. Stop the Stairwell Service
  2. Remove the backscan file /var/lib/stairwell/scansession.json
  3. Start the Stairwell service
systemctl stop stairwell
rm /var/lib/stairwell/scansession.json
systemctl start stairwell

Mac

  1. Delete Keychain entries for backscans
sudo security delete-generic-password -a FullDiskScanState  
sudo security delete-generic-password -a FullScanStatus
  1. Reload the forwarder
sudo /Applications/Inception\\ Forwarder.app/Contents/MacOS/Inception\\ Forwarder uninstall-extension  
sudo /Applications/Inception\\ Forwarder.app/Contents/MacOS/Inception\\ Forwarder install-extension